CVSS 7.5 CVE-2021-33500
CVSS 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls.
NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons.
OSC Escape Sequences and Terminal Title Changes
Terminal emulators support a class of escape sequences called OSC (Operating System Command) codes. These allow the running process (a remote shell, application, or SSH server) to send commands to the terminal emulator itself — outside the normal text output. The sequences are invisible to the user and processed by the terminal.
The OSC sequence for changing the terminal window title is:
\033]0;<title>\007
Broken down:
\033]— ESC followed by]: begins an OSC sequence0— parameter: sets both the icon name and window title;— separator between parameter and value<title>— the new title string\007— BEL (0x07): terminates the OSC sequence
This is a standard feature supported by virtually all terminal emulators. When a server sends this sequence, the terminal calls the operating system to update the window title.
The Windows API Function: SetWindowText
On Windows, PuTTY implements title changes by calling the Windows API function
SetWindowTextA or SetWindowTextW (depending on encoding). This function:
Sends a
WM_SETTEXTmessage to the windowUpdates the window’s title bar text
Triggers a window repaint
The Windows GUI message pump processes WM_SETTEXT messages synchronously in the
main GUI thread. Each call blocks until the window manager has processed the update
and completed the repaint.
The Vulnerability
PuTTY’s main SSH reading loop processes incoming data (including OSC escape sequences) in the same thread as the GUI message pump. When a server sends title-change sequences faster than the GUI thread can process them:
Incoming SSH data is queued as network I/O
Each OSC title sequence calls
SetWindowTextA/WEach call blocks waiting for the GUI repaint to complete
New data continues arriving from the network, adding more OSC sequences
The GUI thread is permanently occupied processing title changes
The window stops responding to user input — it is hung
The hang persists as long as the server sends new title-change sequences. Since the attack requires no authentication beyond the initial SSH session setup, a malicious server can trigger this immediately after the user connects.
Generating the Attack
Any shell command that continuously outputs OSC title sequences at high speed will trigger the hang. On the server side (or injected via SSH-MITM):
PS1=''
while :
do
echo -ne "\033]0;NEW_TITLE${RANDOM}\007"
done
The ${RANDOM} variable ensures each title is different — some implementations
optimize away repeated identical titles, so varying the title keeps the calls going.
The PS1='' disables the shell prompt (otherwise the prompt itself would interleave
with the output). In a MitM scenario, this can be injected directly into the SSH
channel data stream.
Mitigation
Update PuTTY to version >= 0.75. The fix rate-limits title changes so that the GUI thread is not overwhelmed regardless of how fast the server sends OSC sequences.